[messaging] "Pseudoword" base32 fingerprints

Trevor Perrin trevp at trevp.net
Wed Feb 5 18:46:40 PST 2014


> I don't think the words necessarily need to be spelled out.  With some processing,
> couldn't you could remove all words from the list that have low edit distances from
> each other, thereby ensuring that (if both parties have the words in front of them)
> letter-by-letter transcription is unecessary?

Yeah, I think choosing words that have a high audible and visual
distance from well-known words is a good idea, but has to be balanced
against other preferences (is the word short, well-known, easy to
pronounce, free of unpleasant associations, etc).

The PGPfone 8-bit wordlist considered all these factors.  It would be
interesting for someone to try a similar strategy with a 16-bit list
(Tony Arcieri I'm looking at you :-)

http://www.mathcs.duq.edu/~juola/papers.d/icslp96.pdf


On Wed, Feb 5, 2014 at 5:48 PM, Peter Eckersley <pde-lists at eff.org> wrote:
> Also, it strikes me that checking a whole 160 bit fingerprint on first use
> is potentially more work than needs to be done.

I'm arguing that 128-bit fingerprints are sufficient.  But anyways...


> Protocols like this should be possible:
>
> 1. Alice and Bob use Diffie Hellman or distributed RNG to compute a random
> number.  This starts a finite clock ticking (3 minutes? 15 minutes?)
> 2. The random number determines which portions of the fingerprint they're
> going to check now (perhaps on top of a history of which portions they've
> checked in the past, if your protocol can preserve that history reliably)
> 3. They check those portions of the fingerprint.
>
> In order to attack this, Eve needs to MITM the verification step and compute
> her collision against the (somewhat weakened) fingerprint in a fairly short
> of time (minutes vs weeks, say).
>
> If the verification step is short and easy, perhaps users can be trained to
> do a portion of it at the beginning of every session?

I think the useability cost is less in comparing two fingerprints and
more in getting hold of the "authenticated" fingerprint.

if you're going to check a public key against a fingerprint that means
you either contacted the owner through another channel and had them
send you the fingerprint (eg phone call), or got their business card,
or pulled up their website / profile page / directory entry, or asked
your friend to show you the fingerprint from her phone, or something.

All of those things are a hassle.  If you are checking different parts
of the fingerprint at different times you'll have to repeat those
actions a bunch of times, which seems less usable than just checking
the thing once and being done with it.


Trevor


More information about the Messaging mailing list